SQLYog MySQL HTTP Tunnel Detection
Medium Nessus Network Monitor Plugin ID 3804
SynopsisThe remote host is running an inherently insecure protocol or application.
DescriptionThe remote host is running a MySQL database. In addition, a PHP script is installed that allows MySQL connections to be tunneled over HTTP. This sort of connection is typically utilized when the database administrator does not have access to connect to the database from remote locations. The tunnel does not use any sort of encryption and exposes credentials to passive sniffing. In addition, as the PHP script connects to the database from the localhost, database authentication does not look for the originating IP address within the GRANT tables but instead uses the server IP as the originating source. Not only does the script allow database admins to bypass firewall restrictions and log in insecurely, it also exposes the database to brute-force attacks from anonymous users.
SolutionFor remote database administration, choose a method of connection that is restricted to only trusted sources and encrypts the authentication credentials.